EU citizens will see their 'right to be forgotten' online enshrined in EU law on Friday (25 May), but its effectiveness and reach will depend on a case which is still pending in front of the Court of Justice of the EU.

Don't miss out on

Why join?

But it is not yet clear to what extent the right to have personal data erased or removed from search engine results will apply globally.

"This issue is just now pending in front of the Court of Justice: the reach, the applicability of the decisions by our data protection authorities," said a European Commission official on Wednesday, on condition of anonymity.

"We cannot apply our EU law extraterritorially. … How does it work in such a medium as internet?"

The provision in GDPR follows an earlier ruling by the Luxembourg-based EU court in 2014, which said that search engines had to remove results related to an EU citizen's name if they were "inadequate, irrelevant or no longer relevant".

However, the question is how such a right can be effectively applied in light the global nature of the internet.

The French data protection authority (DPA) was one of the most aggressive DPAs enforcing the right to be forgotten – which has since become known as 'delisting' or 'de-referencing'.

In 2016, it demanded that Google not only delist information from French citizens from the search engine's French version Google.fr, but also from Google.com and other non-French domain names - which, because of the global nature of internet, are available to French users too.

Feature

Google has removed 800,000 search results across the EU following complaints from citizens, without the public knowing what has been removed, why it was removed or who complained. We revisit the case that rewrote history online.

The European Data Protection Board is a new EU body tasked with enforcing the EU's privacy laws with powers to impose massive fines. Its head Andrea Jelinek told reporters complaints against companies are expected to be immediate.

The success of the new general data protection regulation (GDPR) will depend on whether data protection authorities enforce the new rules - which, in turn, will be at least partly determined by how many people they employ.